Pages

"Some birds aren't meant to be caged, their feathers are just too bright"- Morgan Freeman, Shawshank Redemption. This blog is from one such bird who couldn't be caged by organizations who mandate scripted software testing. Pradeep Soundararajan welcomes you to this blog and wishes you a good time here and even otherwise.

Tuesday, March 29, 2011

This is a conversation I had with a good friend of mine. She is passionate about teaching testing and has changed her teaching style tremendously over the last couple of years.

I have changed a few words and broke down sentences from the conversation to make it more reading friendly. So, Mansi, when you read this and you spot anything that I have goofed up, please correct me.

Mansi: You are a monopoly for teaching exploratory testing in India.

Me: Yes, thank you. ( Of course, MB and JB visit India )

Mansi: How do you feel about it?

Me: I feel bad but also feel good.

Mansi: Good and bad?

Me: No, Bad and then Good.

Mansi: Why would you feel bad?

Me: I feel good because it helps me make money that gets me to feed my family and myself. I feel bad because being an evangelist of exploratory testing in India, I haven't seen people wanting to teach exploratory testing or even if I have seen, they aren't pursuing it.

Me: You mean, I am the blocker for someone teaching exploratory testing in India? That's funny.

Mansi: You have set an entry barrier to them.

Me: What kind of an entry barrier have I set? I have been asking all my students to consider practicing to teach exploratory testing and I am willing to help them out. Why would I set entry barriers?

Mansi: Well, what I mean by entry barrier is, you would intimidate them with a lot of questions on their effectiveness to teach and all that.

Me: If I ask questions about how they plan to teach, why should they get intimidated by that? As a matter of fact, I would ask questions to them to see if I could help them not do the mistakes I did. I may learn to do a new exercise for my class from them.

Mansi: Because you are THE guy for exploratory testing in India.

Me: James Bach would hate to hear that. I am not an authority trying to prevent anyone from doing anything they want to. Look at you, Mansi, your class is filled with hands on exercises these days as opposed to your past of running through slides. I think I have helped you do what you love to.

Mansi: Yeah, thats all there but I am using exercises that I learnt from you for a class on testing. I don't teach exploratory testing per se.

Me: Oh, you mean, you don't teach exploratory testing by using the title exploratory testing?

Mansi: You play with words.

Me: I am just trying to understand.

Mansi: See, this is what I was telling.

Me: I intimidated you?

Mansi: No, your view of things are different.

Me: So, is yours and thats why we are friends and have a lot to talk to each other.

Mansi: OK, so tell me, why haven't testers in India want to teaching exploratory testing despite you doing so many workshops on it?

Me: Maybe because they enjoy doing exploratory testing than teaching it. Maybe they are working on the skills and one of them might start to do it. Or just as you are doing, "Not by that title".

Mansi: ... or maybe they are intimidated?

Me: You are free to think anything but here is what I can tell to all people. James Bach and Michael Bolton didn't teach me how to teach but they did teach me how to learn things. I carefully observed how they coach testers and tried to ape them initially. I must have failed aping them but in that process, I also found my own style of coaching that appears to be working for me. If I had thought that James & Michael has set an entry barrier for me to teach exploratory testing, I would have been stuck with that idea and wouldn't have progressed at all.

Mansi: I agree but its fun to have such conversations with you.

Me: Convert the fun of conversations with me to some action.

_ end of conversation with Mansi_

So, to any Indian tester reading this. I have been enjoying a beautiful monopoly of teaching exploratory testing in India. Look at my workshops and events page, you'd know I must have done lots of them. Going forward, I am going to be doing a lot, too. I think I am going to go out of India this year and do these workshops. I am enjoying this monopoly not because I am a bully and have intimidated people or set an entry barrier for someone nor I am an approving authority. There is no certified exploratory testing coach certification that you should get to be able to do it. I am enjoying this monopoly because of people like you not seizing the opportunities dancing in front of you.

Here's how I started: I announced free 2 hour talk on exploratory testing on my blog and a couple of organizations invited me to do it. I got free practice doing exercises for testers and developers as my audience and in turn I faced a number of questions. After doing enough talks, I got an idea of what would work for me and then graduated to announce my one day workshop. After doing that for enough number of times and most importantly by gaining experience doing one day workshop, I moved to doing two days. I tried doing Rapid Software Testing, Testing Skills Workshop and Exploratory Testing. Found my sweet spot, worked on a few exercises of my own + borrowed some from James & Michael (with their permission) and tried things.

After a few months, my students started contributing exercises to my workshop. I started to recognize the problems that testers and managers face in India to get Exploratory testing mainstream into their projects and started to do "Accountable & Manageable Exploratory Testing workshop". Session Based Test Management got into mainstream of my workshop and this led to me consulting and helping organizations achieve this. Today, I have success stories with Indian testers, managers and most importantly organizations that beat the s*** out of all other testing training done in India. Again, its you, dear Indian testers, who make me feel like that. So, if you see me as a big ego out there, ask yourselves, "how have I contributed to it?". If you don't know the answer, then here it is, "You have contributed more to my success than what I have done to myself" although I appear to take complete credit. Jon Bach wrote a beautiful blog post on the testing moment around the same topic.

On the other side of my analysis is that more than 99% of Indian testers are not career risk takers. Most among them think, they have taken enough risk in their career by choosing testing.

So, someone coming out of their so called permanent job in India wanting to teach exploratory testing or becoming a consultant is so unlikely. It may happen but that would definitely be surprising to me. If you dare, get in touch with me, please.

While you would just continue to read or maybe enjoy my blog posts, I would continue to play a monopoly for exploratory testing in India. What a shame!

Thursday, March 24, 2011

At home, while the whole family was watching a reality show, I happened to take the liberty of changing the channel to NDTV 24x7, a leading news channel. A news that had been making headlines over the last couple of days was a prime time discussion.

An experienced pilot was invited on prime time to talk to share his views and he shared something like this, "I am more surprised how these pilots got through the simulator test. If someone fakes the flying hours, they should have been caught at the simulator test. So, there needs to be a scrutiny into how the simulator tests are conducted".

I listened to that and started laughing. People at my home for a moment shifted their focus from the television to me. This is not the first time they are seeing me react to something in a different way than what they thought someone would. Yes, I was definitely thinking about software testing and those who fake their experience. I guess, people at my home know why I laugh.

As you know, I am a strong advocate against faking. I have written a blog post against faking experience and also do have a podcast on it. If you go through the comments section of the blog post, you'd know how people have tried using all F words, B words and A words against me. What you don't know is that, there have been people who have written emails to me abusing me for not understanding why they faked. Most of these people were hoping the world would sympathize against them but they saw me helping them learn that they are spoiling the craft I respect so much. They couldn't tolerate me as much as I couldn't tolerate them.

I was laughing after I heard the news because a thought crossed my mind. I imagined a situation where all testers who have faked their testing experience are put on a flight where both pilots have faked their experience and then there is a thunderstorm and there is an engine failure mid flight. Pam Pam Pam!

Wow! I love to put a camera over there and watch how those fake testers are reacting to such a situation. Now, am I such a sadist to watch people cry out for their life? Not at all. I want to let these people know I care for them but how? It may appear from my previous blog post about faking that I have behaved like an aggressive pitbull and they reciprocate the same when we have bumped into each other.

After a couple of years of writing that post, I see that my focus has shifted from those who fake from those who facilitate people to fake.

Here is a story : Srividya (name changed) sent an email to me telling that she completed a testing course in an institute in Bangalore and she felt they were unethical. She also mentioned that the institute had provided certificates to a lot of testers in her batch and she suspected the same might have happened to hundreds of batches they churned out and to all future batches. Now, every student of that institute didn't buy the idea of faking immediately but to convince them, the institute organized a meet with their alumni (who had faked and got a job in top companies in India). I was so excited to be interacting with a person like her and then she invited me over coffee to talk more details.

On meeting her I discovered her story to be inspiring to a lot of people who would fake their experience as a tester. Most often, it is the desperateness to get a job that drives people to fake. She was the only earning member of her family and she had two brothers studying college. She was working in a BPO after completing her engineering degree and found out that she wanted to get into IT (a typical story). However, what she told me was, "Its easy for a person like me to give in to faking experience and getting a job but I don't want to do that because I have personal ethics that don't allow me to do. I would get in touch with all my friends over the next couple of months who may help me financially, till I get a job as a tester without the fake one".

I was so happy to meet such people. It also made me realize the fact that all these years my focus was on people who end up faking but not on those who opposed it and didn't give in to it. I would definitely want to hire such people for Moolya and I bet these testers would shine and help the company shine.

What I find funny is that NASSCOM is aware of such things or if they are not aware, its a bigger sin. They don't appear to have been bold enough to make a statement as beautiful as the one I am going to make, "All fakers, beware, if you are caught, you can never work in IT".

I see a chemical equation and I am going to help you see it. I have heard from sources who don't want to be quoted at all that faking happens not just by candidates seeking job but also by services companies. So, there goes the balance of the equation. Some clients insist that they need someone with some kinda tool experience for a specific number of years, irrespective of whether the tool exists that many years.

I guess it was Michael Bolton who once pointed out in twitter that he saw a job ad asking potential candidates to have experience in a specific tool for many years while the tool just was introduced a couple of years ago. I wouldn't be surprised if someone applied to the job and got it because their resume' did show the experience asked for.

I am asking the same question, "Why didn't the simulator tests (interview) catch the fake pilots (testers)?"
Time and again, we have been debating a more stringent way of determining experience and what you might be seeing in STC Job board is a change I am happy to be seeing. If I were to write from the influence of the book Outliers ( Malcom Gladwell ), I would have to say, "I am so glad I was born at the right time to see the most important transition happening in testing".

So, coming to the question of why fake pilots scam makes headlines in our country while fake testers scam is not, is because most people in our so called industry think its not as risky as hiring fake pilots to hire testers who have faked their experience. I think its equally dangerous. It may not directly result in loss of lives but it definitely results in loss of a lot of business and hence a lot of jobs and hence a lot of lives are impacted.

Now, someone from NASSCOM is going to say, "Hey, Pradeep doesn't know anything.We have National Skills Registry in place". I don't know why such a powerful organization as NASSCOM isn't putting the red hot iron on such institutes who don't fear to announce in their class, "Students, go fake. You will still get a good life". Oh, by the way, some of the fakers I know got into some of leading companies registered under NASSCOM. So, dear NASSCOM, who is using your National Skills Registry and why don't you publish how many fakers are prevented from getting a job?

Once in a while companies like Wipro, Infosys, TCS announce they have caught the fakers and have removed them from their jobs. Don't believe? Read it here. OK, I appreciate it and what next? Has it stopped? I bet not.

Now, there is another pattern you notice. It's the Indian IT services companies that have caught a few fakers. What about the product organizations? Having worked at product companies (of whom some don't do any background checks) I know their interview process is stringent as compared to the IT services. Also, they don't hire in bulk as much the Indian IT services do. So, there you go. However, I know a few fakers who got through some product firms but I guess, they deserved it for the kind of interview process they had.

As you see from the news, it is a civil offence and I guess an organization like NASSCOM should make a press release. Well, well, well. Who wants to admit that our IT industry lacks a lot of ethics?

Almost everyone in the IT industry and a couple of years of experience on their belt earn sufficient money to make themselves look clean and good. There are definitely a lot of real good people but what's the use. They don't fight against the bad. I guess, the problem is that they are good but not good enough.

I had a false dream a couple of years ago that I could change this whole faking thing happening in India. I walked into a training center pretending to be a person who wants a fake certificate and recorded the conversation I had with the institute as a proof I could show it to the world. I then was advised to focus on people who deserve my time. I have been trying to do that but often realize that the institutes who promote fake experience also deserve my time and attention. I just lack the support I would have needed.

The students in such institutes have already demonstrated by being silent to the bad advice that they don't care . So is NASSCOM, appearing to me as ignorant in bringing a permanent solution to this.

If someone from NASSCOM is going to read this post (which is so unlikely) and is at least as bold as me, I want you to know that if there is one person in India who can help NASSCOM identify and put a permanent stop to this solution, its me. Do you care? I bet not. Will I continue to care? I bet yes.

I am not trying to project, "I am a hero, don't you see that" kind of an image through this blog post but I am trying to project an image that, "You may be a hero and if you are one, speak out. Most importantly, do in your own ways something to prevent the faking thing to grow bigger by each day. At Moolya, our hiring process doesn't ask for someone's CV in the first place. Its their skills and then more skills and then much more skills that matter. The world doesn't listen to small time businessman like me. I need to be an Azim Premji or Narayana Murthy. If I become one, I shall eradicate this whole faking business in testing.

We need to figure out a way to rehabilitate those who have succumbed to the need to fake. That's another thought which if new to me that I didn't have a couple of years ago.

This issue isn't headlines, yet. This shouldn't get to that point. That's all.

Tuesday, March 01, 2011

One of the ways Moolya is going to become a great organization is by attracting, hiring and retaining good testers. Sreenuraj Varma who won our heart for this blog post asked us if he could work for Moolya. We got him to test things out and send us test reports. We found that we liked him to work with us and he liked to work with us. So, we hired him a couple of weeks ago.

Before the project work kicks off, I asked him, what he'd like to develop himself on and he made a list of things that impressed me. I then sat with him to get more specific and identified "writing influentially" as one of the things he wanted to develop. I created an exercise and got him to work on it. I have done this before so I knew what to expect.

I wrote down the goal he had to accomplish:

You are hired as a tester in a team and in your first week you discover that there are many important tests that the team is missing. Your objective is to send a mail to all test team members pointing out the tests they are missing and the impact it has on the project.

To consider:

·You are new to the team

·The team has lot of experienced testers and they know about the project more than you

·You don’t know how they would take your advice

·If your English is bad some people may not take your advice seriously

·This email can help you build or break your credibility with the team

So, he worked on it and got back with the following:

Dear All,

For the last week I was going through the application and the important bugs reported on each module. I feel like there is a lack of concentration on the issues related to security, which I feel important because the application is meant to be used by common people and also the modules are designed to be getting in-cooperated with the bank API’s where there is a possibility that we may lead our users to compromise their valuable details.

As we are in the stage of completion of second round of testing I would suggest that it will be good if we can do a quick analysis in the area of security were our application have to be checked for most common security issues.

Looking forward for your suggestions

-- Sreenuraj

I then reviewed the above email with him stating things that is causing me to not think of it as an influential email and provided specific feedback and asked him to work on it. After a couple of hours, he came back with the following

Dear All,

Last week I was going through the application and was learning the work flow happening in the important modules. I have also gone through the first and second phase test reports we have for the modules. But I think we have not done a security testing for our application. I feel it is important because of the following reasons.

a)Loss of customer confidence

b)Can increase the web sites down time (reinstalling services, restoring from backups etc)

c)Harm to our brand

When I was in module “A” which is the most important one, I found that some basic validations missing for the text fields. No checking was found for validating the special characters. This is found repeated in almost every module I have gone through. Below I am mentioning some of the issues I have came across.

a)Cross site scripting is possible in almost every module

b) Data tampering is allowed

c)The cookies which are used in one session can be used again

As we are in the stage of completion of second round of testing I would suggest that it will be good if we can do a quick analysis in the area of security were our application have to be checked for most common issues.

He read through it, gained some ideas and started to work on the next version of it.

Hi Team,

This is Sreenuraj recently recruited for the position Software tester for the organization. My last week assignment was to learn the project work flow and to refer the available documents which QA holds against each modules of the project like test plans, reports, bug reports etc.

As we are in the completion of second phase I think we have covered almost all the important things in functionality testing. Most of the bugs are fixed and retesting for the same is also done. But some of the bugs reported against the security testing done in important modules are found to be in open state. I have also noted that some of the bugs were raised in the first stage of testing. Because of that I think the number of issues reported against security testing in the second phase have gone down. Also there is no status report available for those bugs from the development side.

Below mentioned are some of the important issues I have came across in the application which was not found in the bug reports may be not reported because of the above said reasons:

a)The validations for text boxes in the Login screen and the home page for special characters were missing.

b)User is allowed to insert html scripts into the text fields for the above said pages.

c)The data which is submitted for the module “A” can be tampered and user is able to alter the data which is transferred .(Bypass the client side validations)

d)Data tampering was also success in the module “B” where file type can be changed and user is able to include a file with unsupported extension (like exe .. )

Some of the points I would like to suggest are

1. - Before the completion of phase 2 of testing we should conduct a security testing in the application for the important modules and report the issues found.

2. - Discussion with the development team in regards with the Issues reported and which are still in open stage, also record the status before second phase of testing ends.

3. - It will be good if we can conduct a workshop/training session for both the development & testing team where importance of security related matters in the project can be discussed. Also we can emphasis on client’s expectation in the area of security which is described in the requirement document.

Looking forward for your suggestions

Thanks & Regards

Sreenuraj Varma M

Nah Nah! Not good enough for me. After having coached many testers, I have gained wisdom to understand the point at which I have to step in and do something different than saying, "Not good. I hope you work on these points". So, I decided to send him, my version of the same.

Dear Team,

Greetings!

It is a pleasure to be starting to work with you. In just a week, I was glad to discover that there is great energy you people are bringing in. Its motivating for me to work with you. As I see that a new team member brings in fresh and different value, I'd like to present some kind of value addition I could do.

In this email, I'd like to bring a few points to your notice that might interest you. I am aware that some of the points I am going to bring up here might already be known to you all but I felt it is my responsibility to let you know of what I found.

Security issues for NNNCC Web App (Just an example)

I found that the directory listing is enabled. As we hold confidential information with us and not all pages are exposed to all users, we might be in a position of risking our customers data.

I found that there are error messages that can be customized at the URL. For example, I can make an error message saying, "As Pradeep is on leave, we can't service this" to appear from the page by editing the URL.

I also found that there is a way to bypass the security by storing and using cookies of previous session. When our customers use a public machine to access their data, we are risking the customers data to be known to others who may discover cookies.

Based on the above, I'd like to make a few humble suggestions:

I understand that the focus is on getting our software functionally right but on the effort of trying to get that, we appear to be sacrificing security.

I would love your opinions on budgeting for security testing for every release henceforth. As I am a new hire to this project, I would take up the responsibility for testing security for the next couple of releases till I ramp up on other things.

I would be extremely delighted to meet with you all on this, so am planning to setup a meeting on Friday 24th Feb 3 PM. I have looked into your calendars and have chosen the mutual free time. I am open to suggestions of other date and time.

Thanks and Regards,

-- Pradeep Soundararajan

This time, he came back with the notes he made about this exercise while continuing to work on the skill of writing influential emails. This is going to go to a point where he would learn to practice on his own. He in on the third exercise with me working on test strategy. Our clients are going to be happy to have him on the team. He is showing lots of enthusiasm, hard work and effort. We are happy.

At Moolya, we are going to lay emphasis on how people write and communicate. We might sound stupid but we have realized that people who can write well, get things done quicker and better. In my own consulting experience, I took an email which had not received a favorable response from the management and helped the test team re-write it. We waited for a day and there came a response to it and things got moving.

Add "influential emailing" to your wanna have skills if you are a tester. There's a good example to it in Michael Bolton's blog as well. I am working on a tutorial to help testers write and communicate influentially to stakeholders. Maybe I will take it Star East or Star West.

Posts & Comments

Search this blog

Copyrights

Tester Tested! by Pradeep Soundararajan is licensed under Creative Commons. You must owe credits to Pradeep Soundararajan when you copy paste anything from here by mentioning the name and proper linking to the post. You are not allowed to edit any of the post without permission. For permissions, write to pradeep.srajan@gmail.com